Hacker Hijacks Storage Devices, Mines $620,000 in Dogecoin

Dogecoin, for those who don’t spend their time indulging in Internet meta-memes, may seem like harmless nerdery. But for one enterprising hacker, it’s created a small fortune—at the price of annoying a lot of systems administrators.

A pair of researchers at Dell’s Secureworks security division have traced a collection of malware-infected storage devices to a hacker who has amassed more than $620,000 worth of the currency, which they say he mined from those hijacked machines and others. They say that stash, largely created in just two months earlier this year, may be the largest cryptocurrency hoard ever mined from the computers of unwitting victims. (Wow.)

“To date, this incident is the single most profitable, illegitimate mining operation,” Pat Litke writes in a blog post explaining the findings. The two researchers concede, however, that they can only prove a small fraction of the coins were mined from the hacked storage boxes, and it’s not clear what other machines—compromised or not—the hacker used to mine such significant Doge riches.

Litke and fellow researcher David Shear have spent months following a security vulnerability in storage hardware made by Taiwanese firm Synology. In September, security researcher Andrea Fabrizi found that the operating system used by such devices contained flaws that would allow a remote attacker to gain control of the machines and install malware. In February, Synology users began complaining that their devices were running slowly, and one Facebook poster noted that he’d found a folder on his machine labelled “PWNED.”

In sample files shared online by infected users, Shear and Litke found a program known as CPUminer, used in mining cryptocurrencies like bitcoin. “That was the entrance to the rabbit hole,” says Litke. “It became clear there was a significant amount of money being made off these Synology boxes.”

While analyzing a config file in the “PWNED” folder, they discovered the mined currency wasn’t being sent to a bitcoin address, but to one associated with dogecoin, a half-serious alternative to bitcoin that has since its launch in December become one of the most active cryptocurrencies. By checking the dogecoin blockchain (the public ledger of all dogecoin transactions), they could see all the coins mined at that address and at another address associated with the same hacker. Dogecoin Foundation

In all, the two addresses produced more than 500 million dogecoins. Although that’s less than $200,000 at today’s exchange rate with the dollar, Litke and Shear say they found that the person controlling those coins was moving them out of the wallet as quickly as he or she produced them. Assuming the coins were being cashed in at the higher exchange rates seen at the time, the tally would have hit $620,496, by Dell’s calculations.

Synology issued a patch for the vulnerabilities as soon it learned about the bugs on February 14, according to company spokesman Thadd Weil. “We take peoples’ data very seriously, and we want to let people know that their data is secure so long as they take precautions and keep their software up to date,” he said in an interview.

Litke and Shear say mining that many dogecoins couldn’t be accomplished with the hijacked storage devices alone—each has the cryptocurrency mining power of a smartphone, they say. Even thousands of the machines wouldn’t create the computing muscle necessary to mine millions of dogecoins. The hijacked storage machines and others may explain why the hacker chose to mine dogecoin rather than bitcoin, however; Bitcoin’s highly competitive mining community makes it nearly impossible to mine coins with a regular CPU processor rather than a GPU or a specially designed ASIC chip.

Given the insufficient processing power of the Synology boxes, it’s not clear exactly how the hacker was able to mine the rest of his or her dogecoin wealth. But Shear and Litke found the username “Foilo” in the malware taken from the Synology machines, which they traced to accounts on GitHub and Bitbucket. From those accounts, they say they were able to learn that the hacker speaks German, and seems to be focused on security exploits, a hint that the rest of the dogecoins may have been mined from other hacked machines. “It’s pretty obvious he’s working with black hat code,” says Shear.

The Synology boxes are far from the first machines to be hijacked to produce cryptocurrency on behalf of a hacker. Bitcoin-mining malware for PCs has existed for years, and has recently branched off into machines as unlikely as phones and security camera DVRs.

As bitcoin mining becomes too difficult for those Internet-connected objects’ processors, expect more illegal mining to switch to bitcoin alternatives dogecoin. Who would have thought a cute Shibu Inu could be so menacing?